EUVD-2026-17052

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary...

CVE-2026-3124

The CVE-2026-3124 issue affects the WordPress Download Monitor plugin up to version 5.1.7. The root cause is Insecure Direct Object Reference via the executePayment() function due to missing validation on a user controlled key. This enables unauthenticated attackers to complete arbitrary pending ...

CVE-2026-3124

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary...

CVE-2026-3124 Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary...

curl: Connection Reuse Ignores OAuth Bearer Token Mismatch

Summary: The connection pool reuse function urlmatchconn in lib/url.c checks oauthbearer in its credential match block — but only for protocols marked as requiring per-connection credentials. For HTTP, OAuth bearer is passed as a header, not a protocol-level credential. If a libcurl application...

PT-2023-16285 · 3Scale · Apicast

Name of the Vulnerable Software and Affected Versions: APICast affected versions not specified Description: A flaw was found in APICast, specifically in 3Scale's OIDC module, which does not properly evaluate the response to a mismatched token from a separate realm. This could allow a separate rea...

Swap Functions Do Not Verify Final Token Matches The Swapped Token

Lines of code Vulnerability details Impact When calling Swapper.executeSwaps there are no checks to ensure the received token matches the final swapped token. If these are different it may result in user funds being locked in the contract. This issue is present in each of the following functions:...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks...